Sony has released firmware updates that remove a remotely exploitable backdoor account from 80 models of IP and security cameras.
Because attackers can exploit the backdoor account via a well-crafted HTTP request, if left unpatched, the vulnerability can open the door for abuse, with crooks taking over Sony surveillance cameras and adding them to a Mirai-like botnet that can be used for relaying malicious traffic or launching DDoS attacks.
EU-based security firm SEC Consult says it found the flaw following a routine firmware inspection. Its researchers say a standard scan had identified two hardcoded password hashes in the firmware deployed on several security cameras.
The first was for the standard "admin" account, while the second was for an undocumented "root" account. After further inspection, researchers discovered that this second account could be accessed both locally and via an Internet connection, but that remote access wasn't possible by default.
Furthermore, researchers said they also found two other accounts that appeared to be debugging accounts, left in the firmware for troubleshooting purposes.
One is user "primana" with password "primana" that appears to have been used for device testing or factory calibration, while the second is user "debug" with password "popeyeConnection" that researchers said they didn't analyze.
Unlike the first account, these two were remotely accessible, and SEC Consult researchers say that an attacker could use either one of these two accounts to access an undocumented web server CGI script that would turn on the Telnet daemon with remote access when it received a specially-crafted HTTP request.
"The 'root' account can then be used via the Telnet access to gain full access to the device," a SEC Consult spokesperson told Bleeping Computer via email.
Researchers said they didn't bother cracking this "root" account's password hash, but this is only a matter of time for a determined threat actor.
"We believe that this backdoor was introduced by Sony developers on purpose (maybe as a way to debug the device during development or factory functional testing) and not an 'unauthorized third party' like in other cases (e.g. the Juniper ScreenOS Backdoor, CVE-2015-7755)," SEC Consult experts said.
The security firm told Sony of their findings on October 11, and the hardware maker released firmware updates on November 28. Sony hasn't provided any explanation to researchers about the presence of the "root" account.
According to Sony, the following IPELA surveillance camera models are affected, and device owners should look into updating their firmware:
SNC-CH115, SNC-CH120, SNC-CH160, SNC-CH220, SNC-CH260, SNC-DH120, SNC-DH120T, SNC-DH160, SNC-DH220, SNC-DH220T, SNC-DH260, SNC-EB520, SNC-EM520, SNC-EM521, SNC-ZB550, SNC-ZM550, SNC-ZM551, SNC-EP550, SNC-EP580, SNC-ER550, SNC-ER550C, SNC-ER580, SNC-ER585, SNC-ER585H, SNC-ZP550, SNC-ZR550, SNC-EP520, SNC-EP521, SNC-ER520, SNC-ER521, SNC-ER521C, SNC-CX600, SNC-CX600W, SNC-EB600, SNC-EB600B, SNC-EB602R, SNC-EB630, SNC-EB630B, SNC-EB632R, SNC-EM600, SNC-EM601, SNC-EM602R, SNC-EM602RC, SNC-EM630, SNC-EM631, SNC-EM632R, SNC-EM632RC, SNC-VB600, SNC-VB600B, SNC-VB600B5, SNC-VB630, SNC-VB6305, SNC-VB6307, SNC-VB632D, SNC-VB635, SNC-VM600, SNC-VM600B, SNC-VM600B5, SNC-VM601, SNC-VM601B, SNC-VM602R, SNC-VM630, SNC-VM6305, SNC-VM6307, SNC-VM631, SNC-VM632R, SNC-WR600, SNC-WR602, SNC-WR602C, SNC-WR630, SNC-WR632, SNC-WR632C, SNC-XM631, SNC-XM632, SNC-XM636, SNC-XM637, SNC-VB600L, SNC-VM600L, SNC-XM631L, SNC-WR602CL
UPDATE: Corrected exploitation chain for backdoor accounts.